|By Peter Weger||
|February 5, 2011 05:15 AM EST||
The WikiLeaks security fiasco has shed a lot of light on document security and its inherent irony: namely that the more confidential a document is, the more it's likely to be shared. Web Security Journal reached out to the CEO of Brainloop, Peter Weger, to discuss document compliance management as a risk mitigation strategy.
Web Security Journal: What security issues do you see becoming more pervasive in the coming months?
Peter Weger: A frequently unaddressed challenge is that companies’ most confidential documents are often those that travel the most outside the enterprise. Business depends on sharing information in collaborative processes like coordination among board members; working with research, supply and distribution partners; and communications with outside experts such as external counsel, consultants, auditors and regulatory authorities. However the more a document has to be accessed outside the corporate network, the greater the risk of leakage, so a company’s most sensitive documents are at much greater risk than other documents.
Web Security Journal: How do most businesses enable collaboration today?
Email continues to be the most common method used for information sharing and communication. Organizations tend to collaborate through this ubiquitous technology, sending emails to their employees, partners, suppliers and customers. These emails, of course, include content, attachments and links, some of which contain sensitive information.
To supplement email functionality, individual departments sometimes acquire Cloud-based collaboration applications, often without advice from corporate IT on the selection, vetting or implementation of these services. These systems provide rudimentary content storage, distribution and work flow that email lacks.
Web Security Journal: Where do the current methods fall short?
Weger: To state the obvious, email was not designed to be a real-time, multi-user, secure collaboration system. We know that email makes it extremely easy for security policies to be bypassed. A simple “reply all” can find an employee, either unintentionally or maliciously, sending sensitive information to one or more unintended recipients. Email and any attachments that arrive at the recipient’s mail client could be forwarded to other parties that may not have the right or need to view the information. In this latter instance, the organization that owned the data may never find out that this unexpected data sharing activity took place.
Most commercially-available Cloud-based collaboration offerings were purpose-built with a simple, primary objective of sharing information; security became an afterthought for most products. This becomes a serious risk when you consider that these products typically leave the control of the policy and access to the data in the hands of the collaboration solution provider. Some of the top-performing solutions have attempted to wrap security around the content in such a way that end users can apply document protections, requiring them to define the classification and sharing policies themselves. Of course, by putting the decision into the hands of end users with no experience in defining policy, and without the perspective of the company’s central policy standard, poor decisions could be made and sensitive data still exposed to unauthorized access and misuse. Organizations with hundreds of users have no way to ensure consistent application of security measures. In addition to putting their own documents at risk, using unsecure collaboration applications may result in companies violating their contractual obligations to protect their partners’ confidential information.
To address some of these risks, organizations continue to make significant investments in the various perimeter security technologies designed to prevent information from leaving the organization. Some of the technologies used include firewalls, network intrusion prevention systems (IPS), data loss/leak prevention (DLP) and more. The main problem with this ‘protect the perimeter’ approach is that these products focus on protecting at the infrastructure layer, not on the information itself, which must travel outside the network in order for the company to function. This effectively still leaves the user in control of the information’s destiny, which usually leads to the dangerous choice of expedience over security.
Web Security Journal: What is DCM and how does it fit in?
Weger: Document Compliance Management is a discipline that proactively manages information risk arising from sharing documents electronically.
As organizations move more of their information management processes outside the firewall to the extended enterprise, end users’ demands for collaboration come into conflict with corporate demands to protect information through consistent policy application and control over distribution. DCM seeks to reconcile these demands by creating security provisions that move with documents throughout their lifecycles, both inside and outside the network.
Web Security Journal: What are some of its applications?
Weger: Organizations that are struggling to collaborate while meeting their regulatory, compliance and governance requirements are grappling with the issues Document Compliance Management addresses. Ultimately, these organizations want to collaborate and transact securely within their communities of trust. Regulatory auditors will look for a complete audit trail that captures the entire lifecycle of the organization’s sensitive information; who had access to which documents at which point in time.
Consider the scenario in which inside counsel is required to work with outside counsel, each sharing sensitive legal documents with their counterparts on the other end. They need to maintain control over their documents after they have left the corporate network and they are required to keep a full audit trail of all document activity. They may deal with documents of varying levels of sensitivity, and need an easy way for end users to apply the appropriate controls to each document.
Another example is the Human Resources team collaborating with healthcare providers, financial services providers, state and federal tax entities, and more. Again, the documents need to be shared with trust and a full audit trail must be available to ensure that employees’ personal information has been protected as it passes to external parties. Some key components of this audit trail must document which information has been provided to which business partner, and whether or not they were able to print it, save it locally, or forward it to other people.
Web Security Journal: Why not just block all access by default?
Weger: Looking historically at security, most responses to attacks, breaches or compliance exceptions have been to shut down the operation or block the action. Years ago, when organizations experienced viruses running wild through their email systems, they simply shut down email until the problem was resolved. If they were worried about data leaving via USB sticks, they would blanket block the use of USB ports throughout the entire organization. We see this same model being applied to data protection within the collaboration space -- classify data as being sensitive and block it from being shared.
This model fails miserably. A block-by-default policy goes against the business models of today, which rely on employees, partners, suppliers, legal counsel, and other outside parties who must collaborate with each other using sensitive information.
Therefore, the main goal for DCM is to provide a secure means for end users to collaborate within corporate and regulatory policy for all approved parties, both inside and outside the organization. Corporate policy makers should risk rank business processes, define security policies and classifications, and roll them out to end users in a secure collaboration platform. This would ensure the proper use of documents, doing so in a way that is easy and transparent for the end user, without putting the end user in the unenviable position of having to make policy decisions. It must be simple enough that users will be comfortable doing their jobs within the systems they are already familiar with, as opposed to working around a protected system that is blocking them from collaborating.
Web Security Journal: What should an organization consider when implementing DCM?
Weger: Organizations should try to include these features in their own DCM programs:
- Centralized data classification, policy definition, and policy enforcement capabilities
- Enables end users to do their job without having to think about security, doing so without making them work outside of their existing business processes
- Is flexible enough to support a variety of business processes to prevent the proliferation of disparate point solutions, and can be easily integrated with the company’s existing ecosystem.
Organizations tend to focus on the tactical problems they face with data protection and often look to solve them with technology delivered by their traditional perimeter security vendor. If an organization really wants to be successful in enabling secure business collaboration, they must approach the problem at the document/information level; develop a plan to define and enable their end users, partners, and others to securely collaborate within the boundaries of their internal and/or regulatory constraints.
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
Jul. 4, 2015 09:30 AM EDT Reads: 821
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Among the proven benefits, DevOps is corr...
Jul. 4, 2015 09:15 AM EDT Reads: 789
Internet of Things is moving from being a hype to a reality. Experts estimate that internet connected cars will grow to 152 million, while over 100 million internet connected wireless light bulbs and lamps will be operational by 2020. These and many other intriguing statistics highlight the importance of Internet powered devices and how market penetration is going to multiply many times over in the next few years.
Jul. 4, 2015 09:00 AM EDT Reads: 2,295
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, will explore the IoT cloud-based platform technologies driving this change including privacy controls, data transparency and integration of real time context wi...
Jul. 4, 2015 09:00 AM EDT Reads: 1,314
WebRTC converts the entire network into a ubiquitous communications cloud thereby connecting anytime, anywhere through any point. In his session at WebRTC Summit,, Mark Castleman, EIR at Bell Labs and Head of Future X Labs, will discuss how the transformational nature of communications is achieved through the democratizing force of WebRTC. WebRTC is doing for voice what HTML did for web content.
Jul. 4, 2015 08:45 AM EDT Reads: 954
To many people, IoT is a buzzword whose value is not understood. Many people think IoT is all about wearables and home automation. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed some incredible game-changing use cases and how they are transforming industries like agriculture, manufacturing, health care, and smart cities. He will discuss cool technologies like smart dust, robotics, smart labels, and much more. Prepare to be blown away with a glimpse of the future.
Jul. 4, 2015 08:30 AM EDT Reads: 1,030
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, described how to revolutionize your archit...
Jul. 4, 2015 07:00 AM EDT Reads: 1,024
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS – software, platform, and infrastructure as a service.
Jul. 4, 2015 06:00 AM EDT Reads: 842
SYS-CON Events announced today that Secure Infrastructure & Services will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Secure Infrastructure & Services (SIAS) is a managed services provider of cloud computing solutions for the IBM Power Systems market. The company helps mid-market firms built on IBM hardware platforms to deploy new levels of reliable and cost-effective computing and high availability solutions, leveraging the cloud and the benefits of Infrastructure-as-a-Service (IaaS...
Jul. 4, 2015 03:00 AM EDT Reads: 852
The basic integration architecture, as defined by ESBs, hasn’t changed for more than a decade. Most cloud integration providers still rely on an ESB architecture and their proprietary connectors. As a result, enterprise integration projects suffer from constraints of availability and reliability of these connectors that are not re-usable across other integration vendors. However, the rapid adoption of APIs and almost ubiquitous availability of APIs amongst most SaaS and Cloud applications are rapidly redefining traditional integration approaches and their reliance on proprietary connectors. ...
Jul. 3, 2015 04:45 PM EDT Reads: 898
It is one thing to build single industrial IoT applications, but what will it take to build the Smart Cities and truly society-changing applications of the future? The technology won’t be the problem, it will be the number of parties that need to work together and be aligned in their motivation to succeed. In his session at @ThingsExpo, Jason Mondanaro, Director, Product Management at Metanga, discussed how you can plan to cooperate, partner, and form lasting all-star teams to change the world and it starts with business models and monetization strategies.
Jul. 3, 2015 12:00 PM EDT Reads: 2,395
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists addressed this very serious issue of profound change in the industry.
Jul. 3, 2015 09:00 AM EDT Reads: 1,364
Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application. In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, discussed how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at the same time reduce Time to Market (TTM) by using plug and play capabilities offered by a robust IoT ...
Jul. 3, 2015 08:15 AM EDT Reads: 2,163
"We have a tagline - "Power in the API Economy." What that means is everything that is built in applications and connected applications is done through APIs," explained Roberto Medrano, Executive Vice President at Akana, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Jul. 3, 2015 08:00 AM EDT Reads: 1,174
SYS-CON Events announced today that BMC will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. BMC has worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to mobile, BMC pairs high-speed digital innovation with robust IT industrialization – allowing customers to provide amazing user experiences with optimized IT per...
Jun. 29, 2015 12:15 PM EDT Reads: 2,799
There will be 150 billion connected devices by 2020. New digital businesses have already disrupted value chains across every industry. APIs are at the center of the digital business. You need to understand what assets you have that can be exposed digitally, what their digital value chain is, and how to create an effective business model around that value chain to compete in this economy. No enterprise can be complacent and not engage in the digital economy. Learn how to be the disruptor and not the disruptee.
Jun. 29, 2015 11:00 AM EDT Reads: 2,247
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will addresses this very serious issue of profound change in the industry.
Jun. 29, 2015 09:45 AM EDT Reads: 2,599
Business as usual for IT is evolving into a "Make or Buy" decision on a service-by-service conversation with input from the LOBs. How does your organization move forward with cloud? In his general session at 16th Cloud Expo, Paul Maravei, Regional Sales Manager, Hybrid Cloud and Managed Services at Cisco, discusses how Cisco and its partners offer a market-leading portfolio and ecosystem of cloud infrastructure and application services that allow you to uniquely and securely combine cloud business applications and services across multiple cloud delivery models.
Jun. 28, 2015 11:00 AM EDT Reads: 2,314
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Jun. 27, 2015 10:00 AM EDT Reads: 2,330
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fillin...
Jun. 26, 2015 12:00 PM EDT Reads: 2,325